Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the example analysis of worm-level vulnerability BlueKeep CVE-2019-0708 EXP, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

When I opened my eyes, the rainy Shanghai finally cleared up, but there was a "torrential rain" in moments-the so-called wannacry-level vulnerability BlueKeep (CVE-2019-0708) was released.

Metasploit has posted messages on its blog and Twitter that Metasploit has officially integrated the exploit module for CVE-2019-0708 (also known as BlueKeep). Although the current initial version is only applicable to 64-bit versions of Windows 7 and Windows 2008 R2, it also sends out a threat signal that countless potential attackers have begun to pay attention to, and the power of BlueKeep vulnerabilities will gradually become apparent with subsequent module updates.

At present, it has been noticed that many security personnel or laboratories have reproduced the vulnerability, which further confirmed the availability of the EXP. It should be noted that the EXP can easily lead to the blue screen of the system and cause the interruption of system service. It is recommended that the red team evaluate the importance of the system and proceed with caution before the test.

About BlueKeep (CVE-2019-0708)

On May 15, Beijing time, Microsoft released a fix for CVE-2019-0708, a remote execution code vulnerability for remote desktop services that triggered without user interaction. This means that attackers can use this vulnerability to create worms similar to the WannaCry that swept the world in 2017 to spread and destroy them on a large scale.

A remote execution code vulnerability exists in remote Desktop Services (formerly known as Terminal Services) when an unauthenticated attacker uses RDP to connect to the target system and send a special request. An attacker who successfully exploits this vulnerability can execute arbitrary code on the target system. The attacker can then install the program; view, change, or delete data; or create a new account with full user privileges. To exploit this vulnerability, an attacker only needs to send a malicious request to the remote desktop service of the target system via RDP.

The timeline of this vulnerability: 1. May 14, 2019

Microsoft issued a security announcement and corresponding patch for remote code execution vulnerability CVE-2019-0708 in remote Desktop Services, and specifically issued a special description for this vulnerability, suggesting that this is a serious vulnerability that may lead to the spread of worms.

2. May 15, 2019

Douxiang intelligent security platform issues vulnerability early warning information and disposal plan, and then Douxiang intelligent security platform ARS/PRS online vulnerability detection tool

3. May 23, 2019

PoC programs with non-destructive vulnerability scanning function appear in Internet public channels

4. May 25, 2019

Hackers began to scan vulnerable devices on a large scale.

5. May 30, 2019

Microsoft once again issued a reminder to fix the CVE-2019-0708 vulnerability. Based on the severity of the vulnerability, it is strongly recommended that users upgrade and fix it as soon as possible.

6. 31 May 2019

PoC code that can lead to blue screen has appeared in public channels on the Internet. Douxiang Security Emergency response team has confirmed the availability of PoC code.

7. June 8, 2019

Commercial versions of Metasploit begin to offer exploit modules that can lead to remote code execution

8. 31 July 2019

Commercial exploit kit Canvas adds the exploit module of CVE-2019-0708

9. September 7, 2019

Metasploit CVE-2019-0708 vulnerability exploitation modules have been released in public channels, which pose a real worm threat.

Vulnerability hazard

An attacker who successfully exploits this vulnerability can execute arbitrary code on the target system. The attacker can then install the program; view, change, or delete data; or create a new account with full user privileges.

Range of influence products

Windows operating system

Version

Windows 7

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003 (maintenance stopped)

Windows XP (maintenance stopped)

module

Remote Desktop Service

Fix the official patch

Update through the automatic update function in the Windows operating system

Download the patch at the end of the system version reference list to run and install

Interim solution proposal

1. Disable remote Desktop Services

2. Block the remote desktop service port (3389) in the firewall

3. Enable network authentication on Windows 7, Windows Server 2008, and Windows Server 2008 R2

Referenc

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Https://github.com/rapid7/metasploit-framework/pull/12283?from=timeline&isappinstalled=0

Official patch download operating system version patch download link Windows 7 x86 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x86_6f1319c32d5bc4caf2058ae8ff40789ab10bf41b.msuWindows 7 x64 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x64_3704acfff45ddf163d8049683d5a3b75e49b58cb.msuWindows Embedded Standard 7 for x64 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6 .1-kb4499175-x64_3704acfff45ddf163d8049683d5a3b75e49b58cb.msuWindows Embedded Standard 7 for x86 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x86_6f1319c32d5bc4caf2058ae8ff40789ab10bf41b.msuWindows Server 2008 x64 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499149-x64_9236b098f7cea864f7638e7d4b77aa8f81f70fd6.msuWindows Server 2008 Itanium http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499180-ia64_ 805e448d48ab8b1401377ab9845f39e1cae836d4.msuWindows Server 2008 x86 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499149-x86_832cf179b302b861c83f2a92acc5e2a152405377.msuWindows Server 2008 R2 Itanium http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-ia64_fabc8e54caa0d31a5abe8a0b347ab4a77aa98c36.msuWindows Server 2008 R2 x64 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x64_3704acfff45ddf163d8049683d5a3b75e49b58cb.msuWindows Server 2003 x86http: / / download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x86-custom-chs_4892823f525d9d532ed3ae36fc440338d2b46a72.exeWindows Server 2003 x64 http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x64-custom-chs_f2f949a9a764ff93ea13095a0aca1fc507320d3c.exeWindows XP SP3 http://download.windowsupdate.com/c/csa/csa/secu/2019/04/windowsxp-kb4500331-x86-custom-chs_718543e86e06b08b568826ac13c05f967392238c.exeWindows XP SP2 for x64 http://download.windowsupdate.com/d / csa/csa/secu/2019/04/windowsserver2003-kb4500331-x64-custom-enu_e2fd240c402134839cfa22227b11a5ec80ddafcf.exeWindows XP SP3 for XPe http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsxp-kb4500331-x86-embedded-custom-chs_96da48aaa9d9bcfe6cd820f239db2fe96500bfae.exeWES09 and POSReady 2009 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/04/windowsxp-kb4500331-x86-embedded-chs_e3fceca22313ca5cdda811f49a606a6632b51c1c.exe

The above is the relevant information about this high-risk vulnerability warning. If you have any questions or need more support, please contact us in the following ways.

After reading the above, do you have any further understanding of the example analysis of worm-level vulnerability BlueKeep CVE-2019-0708 EXP? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.